From owner-freebsd-security  Mon Mar 11 09:42:23 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id JAA27377
          for security-outgoing; Mon, 11 Mar 1996 09:42:23 -0800 (PST)
Received: from ibp.ibp.fr (ibp.ibp.fr [132.227.60.30])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id JAA27372
          for <security@FreeBSD.ORG>; Mon, 11 Mar 1996 09:42:20 -0800 (PST)
Received: from blaise.ibp.fr (blaise.ibp.fr [132.227.60.1])
	by ibp.ibp.fr (8.6.12/jtpda-5.0) with ESMTP id SAA27241
	; Mon, 11 Mar 1996 18:42:17 +0100
Received: from (uucp@localhost)
	by blaise.ibp.fr (8.6.12/jtpda-5.0) with UUCP id SAA09175
	; Mon, 11 Mar 1996 18:42:17 +0100
Received: (from roberto@localhost) by keltia.freenix.fr (8.7.3/keltia-uucp-2.7) id IAA01731; Mon, 11 Mar 1996 08:47:29 +0100 (MET)
From: Ollivier Robert <roberto@keltia.freenix.fr>
Message-Id: <199603110747.IAA01731@keltia.freenix.fr>
Subject: Re: How secure is FreeBSD 2.1 right after install?
To: sreid@edmbbs.iceonline.com
Date: Mon, 11 Mar 1996 08:47:28 +0100 (MET)
Cc: security@FreeBSD.ORG
In-Reply-To: <9603101704.D6300AZ@edmbbs.iceonline.com> from "sreid@edmbbs.iceonline.com" at "Mar 10, 96 05:04:26 pm"
X-Operating-System: FreeBSD 2.2-CURRENT ctm#1759
X-Mailer: ELM [version 2.4ME+ PL11 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

It seems that sreid@edmbbs.iceonline.com said:
> I've already disabled the r*, finger and telnet services in inetd.conf.
> I don't expect I'll need them. Is there anything else I need to worry
> about?

Put some filters on your Cisco; refuse any internal address coming from the
external interface (IP spoofing), add access  lists for what you don't want
to come from the Internet.
 
> I'm concerned that X might be a potential security hole, since it uses
> TCP port 6000 to accept connections from clients... Can I close off
> remote access to the X server without having to install a firewall? I

Block  all connection  attempts coming to  port 6000-6099  coming  from the
Internet. Use Xauthority-style authentication on the X server.

> won't need to access the X server from the LAN. Can X be set to ignore
> the TCP port?

You'll have to hack the source, that's not really necessary if you block at
the router level. 

-- 
Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.frmug.fr.net
   FreeBSD keltia.freenix.fr 2.2-CURRENT #1: Tue Feb 20 01:16:51 MET 1996